Archive for the ‘MXI Security: Stealth MXP’ Category

Perhaps in a response to Bob’s analysis of the MXI Stealth MXP device, the manufacturer has responded with a technology that purports to prevent malicious code from being written to the “read only” partition of their Stealth MXP secure hardware encrypted flash drive.

In a very strangely worded press release on February 17, 2009, the company announced “MXI Security Expands Lockdown Delivery Service to Help Enterprise Customers Fight Malicious Software”. This allows enterprise customers to use their ACCESS Enterprise software to set a “unique management code” that guarantees that the software on devices cannot be modified by anyone except the end customer.

We tested this functionality on a Stealth MXP device. Basically a user or administrator can set a code or password which must be entered correctly when performing a software update to the “read only” partition. We set this access code, and then tried to update the software on the “read only” partition. As advertised, the software update was not successful without first entering the access code.

However, we also determined that this access code is not protected against brute force password guessing! Unlike the device password, it seems that you can try an infinite number of access codes. We tried an incorrect code 100 times, and then we entered the correct code, and the device again allowed us to load malicious software onto the “read only” partition.

It’s strange that a security company would miss out on such an obvious vulnerability. Any attacker wishing to infect a user’s device with malware could do a brute force attack on the access code of the device in order to overwrite the “read only” partition.

Even if the devices correctly prevented a brute-force password guessing attack on the access code, this still would not prevent a malicious attacker from infecting their own new device, and leaving it in the company parking lot where an employee might pick it up and plug it in to an internal company computer.

I agree with Bob’s initial comment that secure devices should actually require a valid digital signature on the software before allowing an update to happen.

Well, Bob has done it again. He just sent me a PDF that reveals a major vulnerability in MXI’s secure usb drive, the Stealth MXP.

The short version is that anyone carrying a Stealth MXP could be carrying a trojan. Read the PDF on the MXI Stealth MXP trojan vulnerability to learn the details – it should give you some idea of what you’re facing. It will also likely spur an immediate security review of all Stealth MXPs deployed by security-sensitive organizations. The decision that will need to be made is whether or not a thorough scan of the “read only” partition will be sufficient to reveal any and all malware, and thus regain confidence in the devices. Perhaps MXI Security will release some sort of validator to run against their drives to confirm that they haven’t been tampered with.

This is unfortunate for customers of MXI Security, as it follows on top of the MXP Stealth crack revealed a few months ago by the folks at Objectif Sécurité. It will be curious to see if another patch will follow MXI06-001 to remedy this new fault.

While we’re looking at the Stealth MXP, it is interesting to note that it uses another security technology that has been hacked on numerous occasions – biometric fingerprint scanners. Probably the best known case was when the folks at the popular TV show MythBusters hacked a fingerprint scanner, though there have been many others. While biometric scanners are often positioned as an additional layer of security, they are clearly an additional layer of false security, and as such are best avoided.

The Stealth MXP USB memory stick from MXI Security has been cracked. Upon being confronted with the breech, MXI issued Security Bulletin MXI06-001, which reads in part “MXI ACCESS and ACCESS Enterprise Client software incorrectly manages a hashed password history list allowing attackers to execute an off-line attack on the hashes to guess a password in the list”. Check out the full report from Heise Security to learn about the three mistakes MXI made in designing its encrypted USB drive.